Heartland Is Once Again PCI-Approved. Will It Last?
Bernanke Says Recession Over End of Year! NOT!

Medical ID-Theft, Extortion, Credit Monitoring Services, and The State of Identity Protection

I try really hard in this blog to highlight the implications of things. Often, there are consequences for consumers. Sometimes the consequences are obvious and immediate. Sometimes they are not.

Perhaps you heard about a recent data breach at the Virginia Department of Health Professions. After stealing over 8 million consumers' health records, identity thieves demanded a $10 million ransom payment for the return of the stolen information. InformationWeek reported:

"An extortion demand posted on WikiLeaks seeks $10 million to return more than 8 million patient records and 35 million prescriptions allegedly stolen from Virginia Department of Health Professions... The note goes on to demand $10 million within seven days, presumably from the time the data was apparently seized on April 30, in exchange for the key to decrypt the encrypted backup."

The thieves threatened to sell the stolen data on the black market, if they don't receive payment by the deadline... presumably Thursday May 7.

You probably read this and said to yourself, "No problem. I don't live in Virginia, so my data wasn't stolen." Well there is a big problem.

First, there have been prior cases of medical identity theft and extortion. One consequence for consumers: identity thieves have targeted consumers' medical records. Experts estimated that about 3% of all health care spending is lost to medical fraud.

Identity thieves will steal consumers' medical information to either use themselves, or to resell to others. The sad fact: your medical information has value to people who want medical care and don't want to pay for it. So, using another person's stolen identity is a way to get free medical care.

In his Identity Theft and Business blog, John Taylor described the consequences for medical identity theft and fraud victims:

"When my medical records are stolen and used for cash, or I can no longer get health insurance because my records have been corrupted and claims are made against my policy... what will Todd Davis of Lifelock, or Bo Holland of Debix, or Daryl Yurek of ID Watchdog do to help me? Will they provide me with ready access to attorneys who will represent me as a victim of Medical identity theft? Will they help me to sort out my records for accuracy, and help to amend my insurance data, and help to remove false claims from my records. Will they provide any assistance whatsoever for medical records fraud or theft, or ransom?"

An implication for consumers: these are questions consumers should ask themselves now. If your medical records are stolen, how will you fix the damage done by identity thieves? Fixing the damage is a lot more complicated and longer than getting a replacement credit card after credit card fraud.

This is a poor way to operate the health care industry.

Another implication for consumers: know the gaps that exist. Most identity protection companies have done a lot to help consumers protect their credit reports, but haven't done much to protect medical information. This also applies to the three major credit reporting agencies: Equifax, Experian, and TransUnion. They are no better, since they have focused only on protecting credit reports. That's why their services are called credit monitoring services and not identity protection services.

This is a poor way to operate an identity protection industry.

Another implication for consumers: the companies that sell C.L.U.E. insurance reports to other companies have done no better either. Read my prior posts about insurance reports and Choicepoint, which offers Security Freezes in only 8 states and not nationwide like the major credit reporting agencies. That's another gap in consumers' identity protection.

This is a poor way to operate an insurance industry.

It was just last month that the U.S. Federal Trade Commission (FTC):

"... announced that it has approved a Federal Register notice seeking public comment on a proposed rule that would require entities to notify consumers when the security of their electronic health information is breached. The American Recovery and Reinvestment Act of 2009 (the Recovery Act) includes provisions to advance the use of health information technology and, at the same time, strengthen privacy and security protections for health information."

Yes, you read that correctly. The FTC is still discussing laws to require companies to notify consumers when their medical information is stolen/lost. And, the FTC doesn't expect to finish until February 2010. Faster action by government is required. Identity thieves aren't waiting, and many states have had breach notification laws (for other types of consumer information) in place for the past five years or so.

If this state of affairs bothers you (and I sincerely hope that it does), I encourage you learn more about medical identity theft. Then, contact your elected officials in Congress and demand consistent consumer protection and notification across credit reports, insurance reports, and medical information. When you visit your doctor or HMO, ask them what they are doing to protect your sensitive personal data. Also demand a printed copy of their data security policy.

Since I have started this blog, I have searched for a truly comprehensive identity protection service, which should include:

  • Unlimited access to the full text of all of my credit reports from both the major credit reporting agencies and from the smaller, regional credit reporting agencies (e.g., Innovis)
  • Unlimited access to the full text of all of my C.L.U.E. insurance reports
  • Unlimited access to the full text of all of my sensitive personal medical information
  • Monitoring of my identity across social networking sites
  • Instant e-mail, text messaging, Twitter, or RSS alerts about status changes to any of the above
  • Tools and calculators to help me evaluate these reports
  • The ability for to customize alerts based on my individual needs
  • Options to add Fraud Alerts to any or all of the above reports
  • Options to add Security Freezes to any or all of the above reports
  • Criminal fraud monitoring (if my identity is used by thieves during a crime)
  • Identity fraud assistance when traveling outside the USA
  • Identity resolution services and insurance for all of the above reports
  • 24/7, and easy access to a real person in customer service via phone
  • Arrangements with employers so that after a data breach, I get reimbursed for my monthly fee for this service, rather than receive an offer for another credit monitoring service I don't need

Consumers can't get all of the above. To get large portions of it, you'd have to cobble together at least five or six different services. It shouldn't be this hard.

So, as far as I can tell a truly comprehensive identity protection service doesn't exist. When it does, I will be happy to subscribe.


Feed You can follow this conversation by subscribing to the comment feed for this post.

Rachel J

Excellent post! You have detailed many of the same gaps we feel puts victims at unnecessary risk. ID Experts is actively participating in providing feedback and suggestions regarding suggestions for breach notifications rules, regulations and victim rights.
The FTC is requesting comments from the general public on this matter at:


The comments to this entry are closed.